15 September 2008

A New Security Breach in Google Docs Revealed

I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I've been using Google Docs more lately.

Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc account listing many documents that did not belong to me. I clicked on one of the documents and the results are in the image below, where my Google Doc session appears to have "crossed over" with another users.

I decided to do a bit more exploring and take a few more screenshots, because I don't yet know how to reproduct this security breach. The image below show a Google document (fifth from the top) which is not owned by me, "owned by me". However, when I click on this mysterious "owned by me" document, it is owned by another user. Here is another screenshot below; you can click on the image for the full-screen version.

Again, here is another example of the same security violation with two documents. As above, you can click on the image for a full-screen version.

I contacted the owner of the Google Docs account which I had suddenly and mysteriously "crossed sessions" with today. I asked him if he was in Thailand (since a few of the documents were in Thai) and he said yes, however he say he did not have any Thai language documents in his account. However, as you can see from the screenshot, the Google Docs menu shows this person as "the owner" of a Thai language document. He also mentioned that, today, he saw "wierd documents" in his account that did not belong to him (or "normally" shared with him).

Unfortunately, I was having problems with the Internet connection in my hotel room so I could not continue to investigate the breach. When I logged back in a few hours later, everything was back to normal. So far, all is "normal" and I have not been able to repeat this breach.

I suspect the Google Docs flaw comes from a JavaScript error in how Google manages user sessions. The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS vulnerability as well.

Comments

A New Security Breach in Google Docs Revealed

I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I've been using Google Docs more lately.

Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc account listing many documents that did not belong to me. I clicked on one of the documents and the results are in the image below, where my Google Doc session appears to have "crossed over" with another users.

I decided to do a bit more exploring and take a few more screenshots, because I don't yet know how to reproduct this security breach. The image below show a Google document (fifth from the top) which is not owned by me, "owned by me". However, when I click on this mysterious "owned by me" document, it is owned by another user. Here is another screenshot below; you can click on the image for the full-screen version.

Again, here is another example of the same security violation with two documents. As above, you can click on the image for a full-screen version.

I contacted the owner of the Google Docs account which I had suddenly and mysteriously "crossed sessions" with today. I asked him if he was in Thailand (since a few of the documents were in Thai) and he said yes, however he say he did not have any Thai language documents in his account. However, as you can see from the screenshot, the Google Docs menu shows this person as "the owner" of a Thai language document. He also mentioned that, today, he saw "wierd documents" in his account that did not belong to him (or "normally" shared with him).

Unfortunately, I was having problems with the Internet connection in my hotel room so I could not continue to investigate the breach. When I logged back in a few hours later, everything was back to normal. So far, all is "normal" and I have not been able to repeat this breach.

I suspect the Google Docs flaw comes from a JavaScript error in how Google manages user sessions. The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS vulnerability as well.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org